ldap: Switch ldap_id_use_start_tls default to True

Resolves: #6681
SSSD · Oct 5, 2023 · e80ca15 · e80ca15
1 parent 0c5aefc
commit e80ca15
Show file tree

Hide file tree

Showing 16 changed files with 27 additions and 3 deletions.
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
@@ -938,7 +938,7 @@
                             </itemizedlist>
                         </para>
                         <para>
-                            Default: false
+                            Default: true
                         </para>
                     </listitem>
                 </varlistentry>

diff --git a/src/providers/ldap/ldap_opts.c b/src/providers/ldap/ldap_opts.c
@@ -75,7 +75,7 @@ struct dp_option default_basic_opts[] = {
     { "ldap_tls_cert", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_tls_key", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_tls_cipher_suite", DP_OPT_STRING, NULL_STRING, NULL_STRING },
-    { "ldap_id_use_start_tls", DP_OPT_STRING, { "false" }, NULL_STRING },
+    { "ldap_id_use_start_tls", DP_OPT_STRING, { "true" }, NULL_STRING },
     { "ldap_id_mapping", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "ldap_sasl_mech", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING },

diff --git a/src/tests/intg/ldap_local_override_test.py b/src/tests/intg/ldap_local_override_test.py
@@ -157,6 +157,7 @@ def prepare_sssd(request, ldap_conn, use_fully_qualified_names=False,
 
         [domain/LDAP]
         ldap_auth_disable_tls_never_use_in_production = true
+        ldap_id_use_start_tls = allow
         ldap_schema         = rfc2307
         id_provider         = ldap
         auth_provider       = ldap

diff --git a/src/tests/intg/test_enumeration.py b/src/tests/intg/test_enumeration.py
@@ -143,6 +143,7 @@ def format_basic_conf(ldap_conn, schema):
 
         [domain/LDAP]
         ldap_auth_disable_tls_never_use_in_production = true
+        ldap_id_use_start_tls           = allow
         debug_level                     = 0xffff
         enumerate                       = true
         {schema_conf}

diff --git a/src/tests/intg/test_infopipe.py b/src/tests/intg/test_infopipe.py
@@ -213,6 +213,7 @@ def format_basic_conf(ldap_conn, schema, config):
         ldap_search_base    = {ldap_conn.ds_inst.base_dn}
         ldap_user_extra_attrs = extraName:uid
         ldap_user_certificate = userCert
+        ldap_id_use_start_tls = allow
 
         [application/app]
         inherit_from = LDAP

diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py
@@ -128,6 +128,7 @@ def format_basic_conf(ldap_conn, schema):
 
         [domain/LDAP]
         ldap_auth_disable_tls_never_use_in_production = true
+        ldap_id_use_start_tls = allow
         debug_level         = 0xffff
         {schema_conf}
         id_provider         = ldap

diff --git a/src/tests/intg/test_memory_cache.py b/src/tests/intg/test_memory_cache.py
@@ -164,6 +164,7 @@ def disable_memcache_rfc2307(request, ldap_conn):
 
         [domain/LDAP]
         ldap_auth_disable_tls_never_use_in_production = true
+        ldap_id_use_start_tls = allow
         ldap_schema         = rfc2307
         id_provider         = ldap
         auth_provider       = ldap
@@ -190,6 +191,7 @@ def disable_pwd_mc_rfc2307(request, ldap_conn):
 
         [domain/LDAP]
         ldap_auth_disable_tls_never_use_in_production = true
+        ldap_id_use_start_tls = allow
         ldap_schema         = rfc2307
         id_provider         = ldap
         auth_provider       = ldap
@@ -216,6 +218,7 @@ def disable_grp_mc_rfc2307(request, ldap_conn):
 
         [domain/LDAP]
         ldap_auth_disable_tls_never_use_in_production = true
+        ldap_id_use_start_tls = allow
         ldap_schema         = rfc2307
         id_provider         = ldap
         auth_provider       = ldap
@@ -242,6 +245,7 @@ def disable_initgr_mc_rfc2307(request, ldap_conn):
 
         [domain/LDAP]
         ldap_auth_disable_tls_never_use_in_production = true
+        ldap_id_use_start_tls = allow
         ldap_schema         = rfc2307
         id_provider         = ldap
         auth_provider       = ldap
@@ -267,6 +271,7 @@ def sanity_rfc2307(request, ldap_conn):
 
         [domain/LDAP]
         ldap_auth_disable_tls_never_use_in_production = true
+        ldap_id_use_start_tls = allow
         ldap_schema         = rfc2307
         id_provider         = ldap
         auth_provider       = ldap
@@ -292,6 +297,7 @@ def fqname_rfc2307(request, ldap_conn):
 
         [domain/LDAP]
         ldap_auth_disable_tls_never_use_in_production = true
+        ldap_id_use_start_tls = allow
         ldap_schema         = rfc2307
         id_provider         = ldap
         auth_provider       = ldap
@@ -318,6 +324,7 @@ def fqname_case_insensitive_rfc2307(request, ldap_conn):
 
         [domain/LDAP]
         ldap_auth_disable_tls_never_use_in_production = true
+        ldap_id_use_start_tls = allow
         ldap_schema         = rfc2307
         id_provider         = ldap
         auth_provider       = ldap
@@ -346,6 +353,7 @@ def zero_timeout_rfc2307(request, ldap_conn):
 
         [domain/LDAP]
         ldap_auth_disable_tls_never_use_in_production = true
+        ldap_id_use_start_tls = allow
         ldap_schema         = rfc2307
         id_provider         = ldap
         auth_provider       = ldap

diff --git a/src/tests/intg/test_netgroup.py b/src/tests/intg/test_netgroup.py
@@ -116,6 +116,7 @@ def format_basic_conf(ldap_conn, schema):
         auth_provider       = ldap
         ldap_uri            = {ldap_conn.ds_inst.ldap_url}
         ldap_search_base    = {ldap_conn.ds_inst.base_dn}
+        ldap_id_use_start_tls = allow
         ldap_netgroup_search_base = ou=Netgroups,{ldap_conn.ds_inst.base_dn}
     """).format(**locals())
 

diff --git a/src/tests/intg/test_pysss_nss_idmap.py b/src/tests/intg/test_pysss_nss_idmap.py
@@ -91,6 +91,7 @@ def format_basic_conf(ldap_conn, ignore_unreadable_refs):
         ldap_default_bind_dn = {ldap_conn.ad_inst.admin_dn}
         ldap_default_authtok_type = password
         ldap_default_authtok = {ldap_conn.ad_inst.admin_pw}
+        ldap_id_use_start_tls = allow
 
         ldap_schema = ad
         ldap_id_mapping = true

diff --git a/src/tests/intg/test_resolver.py b/src/tests/intg/test_resolver.py
@@ -121,6 +121,7 @@ def format_basic_conf(ldap_conn, schema):
 
         [domain/LDAP]
         ldap_auth_disable_tls_never_use_in_production = true
+        ldap_id_use_start_tls = allow
         debug_level         = 0xffff
         {schema_conf}
         id_provider         = ldap

diff --git a/src/tests/intg/test_session_recording.py b/src/tests/intg/test_session_recording.py
@@ -149,6 +149,7 @@ def format_basic_conf(ldap_conn, schema):
 
         [domain/LDAP]
         ldap_auth_disable_tls_never_use_in_production = true
+        ldap_id_use_start_tls            = allow
         debug_level                      = 0xffff
         enumerate                        = true
         {schema_conf}

diff --git a/src/tests/intg/test_ssh_pubkey.py b/src/tests/intg/test_ssh_pubkey.py
@@ -140,6 +140,7 @@ def format_basic_conf(ldap_conn, schema, config):
         ldap_uri            = {ldap_conn.ds_inst.ldap_url}
         ldap_search_base    = {ldap_conn.ds_inst.base_dn}
         ldap_sudo_use_host_filter = false
+        ldap_id_use_start_tls = allow
         debug_level=10
         ldap_user_certificate = userCertificate;binary
     """).format(**locals())

diff --git a/src/tests/intg/test_sssctl.py b/src/tests/intg/test_sssctl.py
@@ -143,6 +143,7 @@ def sanity_rfc2307(request, ldap_conn):
 
         [domain/LDAP]
         ldap_auth_disable_tls_never_use_in_production = true
+        ldap_id_use_start_tls = allow
         ldap_schema         = rfc2307
         id_provider         = ldap
         auth_provider       = ldap
@@ -169,6 +170,7 @@ def fqname_rfc2307(request, ldap_conn):
 
         [domain/LDAP]
         ldap_auth_disable_tls_never_use_in_production = true
+        ldap_id_use_start_tls = allow
         ldap_schema         = rfc2307
         id_provider         = ldap
         auth_provider       = ldap
@@ -195,6 +197,7 @@ def fqname_case_insensitive_rfc2307(request, ldap_conn):
 
         [domain/LDAP]
         ldap_auth_disable_tls_never_use_in_production = true
+        ldap_id_use_start_tls = allow
         ldap_schema         = rfc2307
         id_provider         = ldap
         auth_provider       = ldap

diff --git a/src/tests/intg/test_sudo.py b/src/tests/intg/test_sudo.py
@@ -135,6 +135,7 @@ def format_basic_conf(ldap_conn, schema):
         ldap_search_base    = {ldap_conn.ds_inst.base_dn}
         ldap_sudo_use_host_filter = false
         ldap_sudo_random_offset = 0
+        ldap_id_use_start_tls = allow
         debug_level=10
     """).format(**locals())
 

diff --git a/src/tests/intg/test_ts_cache.py b/src/tests/intg/test_ts_cache.py
@@ -161,6 +161,7 @@ def setup_rfc2307bis(request, ldap_conn):
         auth_provider           = ldap
         sudo_provider           = ldap
         ldap_group_object_class = groupOfNames
+        ldap_id_use_start_tls   = allow
         ldap_uri                = {ldap_conn.ds_inst.ldap_url}
         ldap_search_base        = {ldap_conn.ds_inst.base_dn}
     """).format(**locals())
@@ -186,6 +187,7 @@ def setup_rfc2307(request, ldap_conn):
         id_provider             = ldap
         auth_provider           = ldap
         sudo_provider           = ldap
+        ldap_id_use_start_tls   = allow
         ldap_uri                = {ldap_conn.ds_inst.ldap_url}
         ldap_search_base        = {ldap_conn.ds_inst.base_dn}
     """).format(**locals())

diff --git a/src/tests/multihost/basic/test_ldapapi.py b/src/tests/multihost/basic/test_ldapapi.py
@@ -17,7 +17,8 @@ def set_ldap_uri(multihost):
     tools = sssdTools(multihost.master[0])
     domain_name = tools.get_domain_section_name()
     master = sssdTools(multihost.master[0])
-    domain_params = {'ldap_uri': ldap_uri}
+    domain_params = {'ldap_uri': ldap_uri,
+                     'ldap_id_use_start_tls': 'allow'}
     master.sssd_conf(f'domain/{domain_name}', domain_params)
     multihost.master[0].service_sssd('restart')